Event Rules

This section is used to configure active response operations used by the LCE daemon. LCE rules are configured to analyze LCE event content and fire if preset conditions are met. Active responses include the ability to send automatic emails (msmtp, sendmail), syslog alerts (syslog, cef), or run custom commands on the LCE system.

Creating Event Rules

To add a new event rule to your configuration, in the Advanced section of Configuration, under Event Rules, click the Add a New Rule button. The Create an event rule window appears. Using this window, you can specify a name, filters, and an action to be taken.

The following documentation outlines the syntax that can be applied to filters and actions. Some examples are also available.

Rule Filters

In the Filter drop-down box, select a filter that you want to use for the event rule. The values in the Type box are contextual, based on the filter you select. In some cases, you may not need to specify a type. Generally, you will need to specify whether you want to filter data that includes or excludes the values you specify. You can specify multiple filters.

Filters

Description

Source IP (SrcIPS)

This filter will search for source IP addresses that are or are not present. The following five formats are supported:

172.16.1.1/255.255.255.0

172.16.1.1/32

172.16.1.1-255

172.16.1.1-172.16.1.255

172.16.1.1

Each of these formats represent a single value. You can include a comma-delimited list of values using one or a mix of these formats.

Example:

172.16.1.1/32, 192.168.1.1-255, 172.16.10.10

Destination IP (DstIPS)

This filter will search for destination IP addresses that are or are not present. The following five formats are supported:

172.16.1.1/255.255.255.0

172.16.1.1/32

172.16.1.1-255

172.16.1.1-172.16.1.255

172.16.1.1

Each of these formats represent a single value. You can include a comma-delimited list of values using one or a mix of these formats.

Example: 172.16.1.1/32, 192.168.1.1-255, 172.16.10.10

IP (IPS)

This filter allows for the search of IP addresses that are or are not present as either source or destination. The following five formats are supported:

172.16.1.1/255.255.255.0

172.16.1.1/32

172.16.1.1-255

172.16.1.1-172.16.1.255

172.16.1.1

Each of these formats represent a single value. You can include a comma-delimited list of values using one or a mix of these formats.

Filter on sensor name (available in the LCE sensor summary view or under Sensor Names) or LCE client name.

Example: XPmarketing01, Win7payroll02

Types

Filter on LCE event type.

Example: login, login-failure, intrusion

Ports

Filter on the source or destination port.

Example: 80, 443

Protocols

Filter on the protocol of the event. Note that this means the protocol number as defined by IPv4 (1 for ICMP, 6 for TCP, etc.)

Example: 1, 6

Users

Filter on the username in a log.

Example: bobt, johnc

Text

Filter on any string in the log (strings can include spaces and punctuation, but not commas).

Example: Tenable Network Security

Text, caseless (IText)

Filter on any string in the log, but the text considered would be case insensitive (strings can include spaces and punctuation, but not commas).

Example: Tenable Network Security

Vulnerable

Only accepts yes or no. Specify yes if you want to only match logs that correlate to vulnerable hosts.

Threshold

The number of events required over a specified length of time to trigger the rule. The timeframe is expressed using the following format:

(integer) in a [second, minute, hour, day, week, month, year]

Example: 600 in a minute

MaxQueue

The number of events that will be placed into the event processing queue before being dropped from rule evaluation.

Ratelimit

The maximum number of triggers that will occur over a specified length of time regardless of the number of triggering events. The timeframe is expressed using the following format:

(integer) per [second, minute, hour, day, week, month, year]

Example: 1 per hour

Rule Actions

In the Action drop-down box, specify an action that you want to take based on the filters you created. The following table describes the actions that are available.

Action

Description

Shell command

Runs the given command at the command line as user lce. Examples of the syntax and variables you can use with the shell command follow this table.

Syslog

Forward logs triggered by this rule to the given syslog server. Examples of the syslog syntax follow this table.

CEF

Forward logs triggered by this rule to the given syslog server in CEF format. An example of the CEF syntax follows this table.

Ignore

Causes all events matching the filters to be ignored by LCE. If an event is ignored in this manner there will be no LCE database entry written for it, no other matching event rules will fire, and no TASLs will process this event for alerts. You cannot enter a value for this action.

The following syslog line would forward any log that triggered the rule to the remote syslog server 10.10.10.10, port 514, with the default priority of 36 (severity=4, facility=4):

syslog: 10.10.10.10 "Possible password guessing evidence: $log"

The following syslog line would forward any log that triggered the rule to two remote syslog servers, 10.10.10.9, and 10.10.10.10, on port 515, with the specified priority of 116 (severity=4, facility=14):

The following case sensitive variables may be included in the shell command string. Any commands using one or more the of shell command variables below need to be encapsulated in double quotations ("").

Option

Description

$sip

Source IP of event

$dip

Destination IP of event

$sport

Source port of event

$dport

Destination port of event

$proto

Protocol of event, displayed as N/A,
TCP, UDP, ICMP, or a number for other protocols

$vuln

"no" if the event was not correlated
with a vulnerability, "yes" otherwise.

$sensor

Name of sensor generating the event

$event1

Primary event name

$event2

Secondary event name

$type

Type name of event

$time

Time event was recorded at LCE
(format: Mon MM, YYYY H:M:S)

$user

Username associated with the event

$log

Raw text of log

$queued_logs

All logs currently in the event rules
queue. Use of this variable has the effect of emptying the rule's queue